Key Findings

• Researchers discovered a previously unknown Android spyware family dubbed LANDFALL, which leveraged a zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library to compromise Galaxy devices.

• The campaign, active since mid-2024, appears to have targeted users in the Middle East, with the spyware embedded inside malicious DNG image files sent through WhatsApp.

• The exploit relies on malformed DNG (Digital Negative) image files, exploiting a flaw in Samsung's libimagecodec.quram.so library responsible for image decoding.

• The malformed DNG files contain a ZIP archive with the spyware payload, enabling zero-click infection and full device surveillance once the image is opened or previewed.

• LANDFALL is described as "commercial-grade" spyware engineered specifically for Samsung Galaxy models, providing extensive capabilities for call/audio recording, location tracking, and data exfiltration.

• The spyware's communication with command-and-control servers uses HTTPS over non-standard ephemeral ports, sending encrypted JSON payloads with device identifiers and agent status.

• While definitive attribution remains unconfirmed, LANDFALL's infrastructure and tradecraft share significant overlap with known commercial spyware vendors and groups linked to the United Arab Emirates.

Background

Researchers from Unit 42, the threat intelligence team at Palo Alto Networks, have uncovered a previously unknown Android spyware family dubbed LANDFALL. This spyware leveraged a zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library to compromise Galaxy devices, targeting users in the Middle East since mid-2024.

Infection Vector: Malicious DNG Images

The LANDFALL spyware was delivered through the exploitation of a vulnerability in Samsung's libimagecodec.quram.so library, which is responsible for decoding image files. Attackers created malformed DNG (Digital Negative) image files that contained a ZIP archive with the spyware payload embedded at the end of the file.

Spyware Capabilities

Once the malicious DNG image was opened or even previewed, the exploit would trigger silently, extracting the shared object (.so) binaries from the ZIP payload and executing them on the device. This zero-click infection mechanism enabled comprehensive surveillance capabilities, including:

• Recording calls and ambient audio

• Stealing contacts, SMS, app data, and photos

• Tracking location and monitoring installed applications

• Detecting and evading analysis frameworks like Frida and Xposed

Command-and-Control Infrastructure

LANDFALL's core components, b.so and l.so, communicated with command-and-control (C2) servers over HTTPS using non-standard ephemeral ports. The encrypted JSON payloads contained device identifiers, configuration keys, and agent status updates.

Potential Attribution

While definitive attribution remains unconfirmed, the researchers noted significant overlap between LANDFALL's infrastructure, tradecraft, and code artifacts with known commercial spyware vendors and groups linked to the United Arab Emirates, such as Stealth Falcon. The presence of the term "Bridge Head" in LANDFALL's debug strings is also a common codename used by private-sector offensive actors (PSOAs).

Sources

• https://securityonline.info/zero-click-samsung-zero-day-cve-2025-21042-delivered-landfall-spyware-via-malicious-dng-images/

• https://www.securityweek.com/landfall-android-spyware-targeted-samsung-phones-via-zero-day/